api.c: prevent array out-of-bounds access in cgroup_create_template_group

In the function src/api.c/cgroup_create_template_group,
the loop condition:

while (tmp->controllers[i] != NULL) {

allows accessing tmp->controllers[MAX_MNT_ELEMENTS] if tmp->controllers
is full and lacks a terminating NULL.

Add explicit bounds checking (i < MAX_MNT_ELEMENTS) while maintaining
the NULL check. This ensures that there will never be reading past
the array boundaries regardless of its content.

Found by Linux Verification Center (linuxtesting.org) with SVACE.

Signed-off-by: Mikhail Dmitrichenko <m.dmitrichenko222@gmail.com>
Acked-by: Kamalesh Babulal <kamalesh.babulal@oracle.com>
Signed-off-by: Tom Hromatka <tom.hromatka@oracle.com>
(cherry picked from commit a34831579172371ec55272b07e5f2995eea1459f)

diff --git a/src/api.c b/src/api.c
index 44032f502c2e0e6ff9d367a99a86eb62a1511f28..ec81da0ca1388de2cb8e372efcf0f1130108dc37 100644 (file)
--- a/src/api.c
+++ b/src/api.c
@@ -4591,7 +4591,7 @@ static int cgroup_create_template_group(char *orig_group_name, struct cgroup_rul
 
                /* Test for which controllers wanted group does not exist */
                i = 0;
-               while (tmp->controllers[i] != NULL) {
+               while (i < MAX_MNT_ELEMENTS && tmp->controllers[i] != NULL) {
                        exist = cgroup_exist_in_subsystem(tmp->controllers[i], group_name);
 
                        if (exist != 0) {